b'SEPTEMBER 26, 2013\n  AUDIT REPORT\n\n\n\n\n                                                      OFFICE OF AUDITS\n\n\n\n\n          NASA\xe2\x80\x99S COMPLIANCE WITH EXECUTIVE\n          ORDER 13526: CLASSIFIED NATIONAL\n                SECURITY INFORMATION\n\n\n\n\n                                           OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                      National Aeronautics and\n                                                          Space Administration\n\n\n\n\n  REPORT NO. IG-13-023 (ASSIGNMENT NO. A-13-017-00)\n\x0cFinal report released by:\n\n\n\n\nPaul K. Martin\nInspector General\n\n\n\n\nAcronyms\n\nCIGIE               Council of the Inspectors General on Integrity and Efficiency\nCFR                 Code of Federal Regulations\nDOD                 Department of Defense\nFY                  Fiscal Year\nNPR                 NASA Procedural Requirements\nOIG                 Office of Inspector General\nOCA                 Original Classification Authority\nOPS                 Office of Protective Services\n\n\n\n                                                                        REPORT NO. IG-13-023\n\x0cSEPTEMBER 26, 2013\n\n\n\n\n                                                                                            OVERVIEW\n\n      NASA\xe2\x80\x99S COMPLIANCE WITH EXECUTIVE ORDER 13526: CLASSIFIED\n                   NATIONAL SECURITY INFORMATION\n                                                                                              The Issue\n\n  In December 2009, the President signed Executive Order 13526, \xe2\x80\x9cClassified National\n  Security Information\xe2\x80\x9d (Order), to reform the security classification and declassification\n  processes.1 The Order was intended to produce greater openness and transparency in the\n  Government\xe2\x80\x99s classification and declassification programs while maintaining the\n  Government\xe2\x80\x99s legitimate interests to protect certain information from unauthorized\n  disclosure.\n\n  Public Law 111-258, \xe2\x80\x9cReducing Over-Classification Act\xe2\x80\x9d of 2010, requires the Inspector\n  General of each Federal department or agency with an employee who is authorized to\n  make original classifications to assess agency compliance with the Order.2 In response to\n  the Act, we (1) assessed whether NASA has adopted, followed, and effectively\n  administered classification policies, procedures, rules, and regulations and (2) identified\n  policies, procedures, rules, regulations, or management practices that may be contributing\n  to misclassification of material at the Agency. In accordance with the Act, we will\n  conduct a second evaluation by September 30, 2016, to review the actions NASA takes in\n  response to this review. Details on the scope and methodology for our review can be\n  found in Appendix A.\n\n                                                                                                  Results\n\n  NASA has adopted classification policies and issued regulations that comply with\n  security classification reform requirements. Specifically, NASA has established\n  procedural requirements for the proper implementation and management of a uniform\n  system for classifying, accounting for, safeguarding, and declassifying national security\n  information under its control. However, while the Agency\xe2\x80\x99s procedures meet Federal\n  requirements, its implementing directive does not require Agency personnel with\n  classification authority to receive all necessary training. Additionally, we found\n  instances in which Agency personnel were not consistently following these NASA\n  policies. Specifically, we found classified documents that were improperly marked,\n\n  1\n      Classified national security information or classified information means information that has been\n      determined pursuant to Executive Order 13526 or any predecessor order to require protection against\n      unauthorized disclosure. Classification means the act or process by which information is determined to\n      be classified information. Declassification means the authorized change in the status of information from\n      classified information to unclassified information.\n  2\n      \xe2\x80\x9cReducing Over-Classification Act\xe2\x80\x9d of 2010, Public Law 111-258, 111th Congress (October 7, 2010).\n\n\n\nREPORT NO. IG-13-023\n\x0c                                                                                       OVERVIEW\n\n\n\n     training requirements that were not met, and self-inspections that were not fully\n     implemented. Although these deficiencies were relatively minor in nature, failure to\n     comply with these requirements increases the risk that personnel may inadvertently\n     misclassify material.\n\n     Management Action\n\n     We recommended that the NASA Assistant Administrator for Protective Services revise\n     NASA\xe2\x80\x99s classification implementing policy so it is consistent with the Order. In\n     addition, we recommended the Assistant Administrator ensure that persons with\n     classification authority receive all required training and the Agency\xe2\x80\x99s self-inspection\n     program identifies and mitigates future occurrences of marking and training deficiencies.\n\n     In response to our draft report, the Assistant Administrator for Protective Services\n     concurred with our recommendations. Specifically, the Office of Protective Services\n     (OPS) agreed to revise NASA policy to clarify that individuals who apply derivative\n     classification markings must receive the required training prior to classifying any\n     information. Additionally, the Assistant Administrator will issue an interim policy to all\n     Centers containing the revised mandatory requirements. Further, to improve the\n     Agency\xe2\x80\x99s self-inspection program OPS will formalize criteria for annual Center\n     self-inspections, provide self-inspection sheets for tracking purposes, and measure the\n     Centers\xe2\x80\x99 progress as part of the Integrated Security Functional Reviews. We consider the\n     proposed actions to be responsive and will close the recommendations upon completion\n     and verification of the corrective actions. Management\xe2\x80\x99s full response is reprinted in\n     Appendix B.\n\n\n\n\nii                                                                         REPORT NO. IG-13-023\n\x0cSEPTEMBER 26, 2013\n\n\n\n\n                                                         CONTENTS\n\n  INTRODUCTION\n      Background _________________________________________ 1\n      Objectives __________________________________________ 3\n\n  RESULTS\n      NASA\xe2\x80\x99s Policies Comply with Requirements of Executive\n      Order 13526 ________________________________________ 4\n      NASA Does Not Consistently Follow Federal Requirements for\n      Classifying National Security Information __________________ 6\n\n  APPENDIX A\n      Scope and Methodology _______________________________ 11\n      Review of Internal Controls ____________________________ 12\n      Prior Coverage ______________________________________ 12\n\n  APPENDIX B\n      Management Comments ______________________________ 13\n\n  APPENDIX C\n      Report Distribution ___________________________________ 15\n\n\n\n\nREPORT NO. IG-13-023\n\x0c\x0cSEPTEMBER 26, 2013\n\n\n\n\n                                                                                     INTRODUCTION\n\n\nBackground\n\n  The over-classification of information can interfere with accurate, actionable, and timely\n  information sharing; increase the cost of information security; and needlessly limit\n  stakeholder and public access to information. Executive Order 13526, \xe2\x80\x9cClassified\n  National Security Information\xe2\x80\x9d (Order), was intended to ensure greater openness and\n  transparency in Federal classification and declassification programs while maintaining\n  the legitimate interests of the United States in protecting certain information from\n  unauthorized disclosure. In June 2010, the Information Security Oversight Office\n  (Oversight Office) published guidance to assist agencies in implementing the Order and\n  to provide direction related to classifying, downgrading, declassifying, and safeguarding\n  national security information.3 This guidance included rules for:\n\n        \xef\x82\xb7   classification, declassification, and marking principles;\n\n        \xef\x82\xb7   safeguarding classified information;\n\n        \xef\x82\xb7   agency security education and training programs;\n\n        \xef\x82\xb7   agency self-inspection programs; and\n\n        \xef\x82\xb7   reporting requirements.4\n\n  Classified information must be marked appropriately to indicate its status. The three\n  classification levels are:\n\n        \xef\x82\xb7   Top Secret \xe2\x80\x93 as determined by the original classification authority, the\n            unauthorized disclosure of such information could reasonably be expected to\n            cause exceptionally grave damage to national security.\n\n        \xef\x82\xb7   Secret \xe2\x80\x93 as determined by the original classification authority, the unauthorized\n            disclosure of such information could reasonably be expected to cause serious\n            damage to national security.\n\n\n  3\n      The Oversight Office, a component of the National Archives and Records Administration, is responsible\n      to the President for policy and oversight of the Government-wide security classification system and the\n      National Industrial Security Program. Specifically, the Oversight Office\xe2\x80\x99s Classification Management\n      Staff develops security classification policies for classifying, declassifying, and safeguarding national\n      security information.\n  4\n      32 Code of Federal Regulations (CFR) Parts 2001 and 2003, \xe2\x80\x9cClassified National Security Information:\n      Final Rule\xe2\x80\x9d (2010).\n\n\n\nREPORT NO. IG-13-023                                                                                              1\n\x0c                                                                                                       INTRODUCTION\n\n\n\n          \xef\x82\xb7    Confidential \xe2\x80\x93 as determined by the original classification authority, the\n               unauthorized disclosure of such information could reasonably be expected to\n               cause damage to national security.\n\n    Over-Classification. The Order defines over-classification as classification of\n    information that does not meet one or more of the following standards:\n\n          \xef\x82\xb7    an original classification authority (OCA) has classified the information;5\n\n          \xef\x82\xb7    the information is owned by, produced by or for, or under the control of the U.S.\n               Government;\n\n          \xef\x82\xb7    the information falls within one or more of seven categories of information;6 and\n\n          \xef\x82\xb7    the original classification authority determines that the unauthorized disclosure of\n               the information reasonably could be expected to result in damage to national\n               security and the original classification authority is able to identify or describe the\n               damage.\n\n    Original and Derivative Classification Actions. Information may be classified either\n    originally or derivatively. Original classification means an initial determination that\n    information requires, in the interest of the national security, protection against\n    unauthorized disclosure. Derivative classification means incorporating, paraphrasing,\n    restating, or generating in new form information that is already classified, and marking\n    the newly developed material consistent with the classification markings that apply to the\n    source information. Derivative classification includes the classification of information\n    based on classification guidance. The duplication or reproduction of existing classified\n    information is not derivative classification.\n\n    Persons who reproduce, extract, or summarize classified information or who apply\n    classification markings derived from source material or as directed by a classification\n    guide, need not possess original classification authority. Information may be derivatively\n    classified from a source document or documents or based on a classification guide.7\n\n    5\n        Original classification authority means an individual authorized in writing by the President, the Vice\n        President, or by agency heads or other officials designated by the President, to classify information in the\n        first instance.\n    6\n        These categories are: (1) military plans, weapons systems, or operations; (2) foreign government\n        information; (3) intelligence activities; (4) foreign relations or foreign activities of the United States;\n        (5) scientific, technological, or economic matters relating to the national security; (6) U.S. Government\n        programs for safeguarding nuclear materials or facilities; (7) vulnerabilities or capabilities of systems,\n        installations, infrastructures, projects, plans, or protection services relating to the national security; or\n        (8) the development, production, or use of weapons of mass destruction.\n    7\n        Source document means an existing document containing classified information that is incorporated,\n        paraphrased, restated, or generated in new form into a new document. Classification guide means a\n        documentary form of classification guidance issued by an original classification authority that identifies\n        the elements of information regarding a specific subject that must be classified and establishes the level\n        and duration of classification for each such element.\n\n\n2                                                                                             REPORT NO. IG-13-023\n\x0cINTRODUCTION\n\n\n\nObjectives\n\n  Pursuant to the \xe2\x80\x9cReducing Over-Classification Act\xe2\x80\x9d of 2010, the NASA Office of\n  Inspector (OIG) evaluated NASA\xe2\x80\x99s system for classifying, safeguarding, and\n  declassifying national security information. Our objectives were to:\n\n      \xef\x82\xb7   assess whether applicable classification policies, procedures, rules, and\n          regulations have been adopted, followed, and effectively administered within\n          NASA; and;\n\n      \xef\x82\xb7   identify policies, procedures, rules, regulations, or management practices that may\n          be contributing to persistent misclassification of material within NASA.\n  See Appendix A for details of the evaluation\xe2\x80\x99s scope and methodology, our review of\n  internal controls, and a list of prior coverage.\n\n\n\n\nREPORT NO. IG-13-023                                                                            3\n\x0c                                                                                     RESULTS\n\n\n\n\n                     NASA\xe2\x80\x99S POLICIES COMPLY WITH REQUIREMENTS\n                                     OF EXECUTIVE ORDER 13526\n           NASA has adopted classification policies and issued regulations that comply with\n           the requirements of Federal security classification reform requirements.\n           Specifically, NASA Procedural Requirements (NPR) 1600.2, \xe2\x80\x9cNASA Classified\n           National Security Information,\xe2\x80\x9d establishes Agency procedures for the proper\n           implementation and management of a uniform system for classifying, accounting,\n           safeguarding, and declassifying national security information generated by or in\n           the possession of NASA. Based on our review of NPR 1600.2, we concluded that\n           NASA complied with Executive Order 13526 and the Oversight Office\xe2\x80\x99s\n           implementing directive, 32 CFR Part 2001. The Order sets forth criteria agencies\n           must meet to comply, and, as illustrated in Table 1, NASA met all applicable\n           criteria.\n\n                                    Table 1: Compliance Summary\n                                                                    Criteria Met?\n                     Criteria for Compliance\n\n     Does the NPR cite Executive Order 13526 and 32 CFR,\n                                                                        Yes\n     Part 2001 for authorizing NASA Classified National\n     Security Information Program?\n     Does the NPR require the senior agency official to direct          Yes\n     and administer the program?\n     Does the NPR cite the classification standards?                    Yes\n\n     Are the classification levels provided and only the three          Yes\n     levels authorized for use?\n     Does the NPR emphasize the 25-year automatic\n                                                                        Yes\n     declassification and downgrading of NASA Classified\n     National Security Information?\n     Does the NPR require the agency to establish a secure\n     capability to receive information, allegations, or                 Yes\n     complaints regarding over-classification or incorrect\n     classification within the agency?\n     Does the agency submit annual Standard Form 311 to                 Yes\n     Information Security Oversight Office?\n    Source: NASA OIG\xe2\x80\x99s review of NPR 1600.2\n\n\n\n\n4                                                                       REPORT NO. IG-13-023\n\x0cRESULTS\n\n\n\n   The Assistant Administrator for Protective Services is the Senior Agency Official\n   responsible for providing direction, oversight, and implementation guidance for NASA\xe2\x80\x99s\n   information security program.8 Further, individual Center Directors are responsible,\n   through their respective Center Chief of Security, for ensuring proper planning and\n   implementation of the Order and managing classified information and material under the\n   jurisdiction and custody of their respective Centers.\n\n   NASA\xe2\x80\x99s Classification Activity. As required by the Order and the implementing\n   directive, NASA submits annual reports on original and derivative classification\n   decisions made by its personnel, declassification activities, and any classification guides\n   it creates or uses.9 Four positions at NASA possess original classification authority: the\n   Administrator, Deputy Administrator, Associate Administrator, and Assistant\n   Administrator for Protective Services.\n\n   For fiscal years (FY) 2010 through 2012, NASA reported making no original\n   classification decisions. However, during that period, 59,284 derivative classification\n   decisions were made Agency-wide \xe2\x80\x93 390 Top Secret, 58,795 Secret, and\n   99 Confidential.10 NASA Office of Protective Services (OPS) officials told us that the\n   majority of the 59,284 classification decisions made across the Agency for FYs 2010,\n   2011, and 2012 related to Sensitive Compartmented Information or Special Access\n   Program documents.11 In addition, the Agency reported declassifying 938 pages of\n   information as a result of mandatory declassification reviews, 40,872 pages by automatic\n   declassification, and 200 pages as a result of systematic declassification reviews.12\n\n\n\n\n   8\n        Aeronautics and Space Information Security Program, 14 CFR Part 1203-Information Security Program,\n        Executive Order 13526.\n   9\n        Agency Security Classification Management Program Data (Standard Form 311).\n   10\n        Approximately 98 percent of these decisions were made by personnel assigned to NASA Headquarters.\n   11\n        Sensitive Compartmented Information is a classification level for information, generally\n        intelligence-related, requiring security clearances and physical or procedural security measures above\n        those established for collateral classified information or Special Access Program information. Special\n        Access Program means any program established and approved under Executive Order Number 13526\n        that imposes need-to-know or access controls beyond those normally required for access to collateral Top\n        Secret, Secret, or Confidential information.\n   12\n        Mandatory declassification review means the review for declassification of classified information in\n        response to a request for declassification that meets the requirements under section 3.5 of the Order.\n        Automatic declassification means the declassification of information based solely upon the occurrence of\n        a specific date or event as determined by the OCA or the expiration of a maximum timeframe for\n        duration of classification established under the Order. Systematic declassification review means the\n        review for declassification of classified information contained in records that have been determined by\n        the Archivist (National Archives and Records Administration) to have permanent historical value in\n        accordance with Title 44, U.S. Code.\n\n\n\nREPORT NO. IG-13-023                                                                                               5\n\x0c                                                                                       RESULTS\n\n\n\n                                                                                                -\n                                NASA DOES NOT CONSISTENTLY FOLLOW\n                               FEDERAL REQUIREMENTS FOR CLASSIFYING\n                                     NATIONAL SECURITY INFORMATION\n\n            Although NASA\xe2\x80\x99s policies and procedures for managing national security\n            information comply with Federal requirements, we found instances where Agency\n            personnel did not consistently follow these policies. Specifically, we found\n            classified documents that were improperly marked, training requirements for\n            classifiers that were not met, and self-inspections that were not fully\n            implemented. Although these deficiencies were relatively minor in nature, failure\n            to comply with them increases the risk that personnel may inadvertently\n            misclassify material.\n\nClassified Documents Improperly Marked\n\n    As part of our review, we examined the classification markings on 16 documents NASA\n    personnel derivatively classified and found several minor marking deficiencies. Federal\n    requirements dictate that derivative classification markings shall:\n\n    \xef\x82\xb7   include the date of origin of the document in a manner that is immediately apparent;\n\n    \xef\x82\xb7   identify the derivative classifier;\n\n    \xef\x82\xb7   eliminate the use of the exemption markings on documents created on or after\n        September 22, 2003, and declassify those documents 25 years from date of document\n        creation; and\n\n    \xef\x82\xb7   include a listing of the source materials on, or attached to, each derivatively\n        classified document when a document is classified derivatively on the basis of more\n        than one source \xe2\x80\x93 \xe2\x80\x9cDerived From: Multiple Sources.\xe2\x80\x9d\n\n    For the 16 documents we examined, we found the following deficiencies:\n\n        \xef\x82\xb7   2 documents had no date of origin;\n\n        \xef\x82\xb7   3 documents did not identify the derivative classifier;\n\n\n\n\n6                                                                        REPORT NO. IG-13-023\n\x0cRESULTS\n\n\n\n         \xef\x82\xb7   12 documents, created after September 22, 2003, contained invalid exemption\n             markings on the \xe2\x80\x9cDeclassify On\xe2\x80\x9d date line; and13\n\n         \xef\x82\xb7   1 document \xe2\x80\x93marked \xe2\x80\x9cDerived From: Multiple Sources\xe2\x80\x9d \xe2\x80\x93 did not include a\n             listing of the source materials.\n\nTraining Requirements Not Fully Met\n\n  Federal regulations require that all persons with OCA must receive training on proper\n  classification prior to originally classifying information and at least once per year\n  thereafter. Likewise, persons who apply derivative classification markings must receive\n  training in the proper application of the derivative classification principles before\n  derivatively classifying any information and at least once every 2 years thereafter. The\n  regulations state that, at a minimum, the training shall cover the principles of derivative\n  classification, classification levels, duration of classification, identification and markings,\n  classification prohibitions and limitations, sanctions, classification challenges, security\n  classification guides, and information sharing.\n\n  During 2012, three of the four NASA OCAs received in-person training. The Deputy\n  Administrator was unavailable for the training, but did not perform any original\n  classification decisions during that period.\n\n  We spoke with two NASA employees who had derivatively classified documents during\n  2012. We found that while both individuals completed the mandatory annual security\n  education training refresher, only one had received specific derivative classification\n  training. In addition, neither individual had received the required bi-annual derivative\n  classification training. Furthermore, we found that NASA policy does not stipulate that\n  employees receive training on derivative classification principles before they classify any\n  information as required by the implementing directive for the Order, the Oversight Office\n  Directive Number 1 (32 CFR Part 2001, \xe2\x80\x9cClassified National Security Information\xe2\x80\x9d).14\n\nSelf-Inspection Requirements Not Fully Implemented\n\n  We also found that NASA has not fully implemented Federal self-inspection\n  requirements. Federal regulations require that senior agency officials establish and\n  maintain an ongoing self-inspection program that includes regular reviews of\n  13\n       NASA personnel acknowledged the use of specific exemption categories is no longer a valid\n       declassification marking on documents created on or after September 22, 2003. NASA personnel\n       explained that the \xe2\x80\x9cX1\xe2\x80\x9d exemption category is a default system function designed by the originators of\n       the NASA investigative management system currently in use to comply with an earlier executive order.\n       In response to our inquiry regarding the use of the \xe2\x80\x9cX1\xe2\x80\x9d markings, NASA personnel stated that the\n       system administrators for the current investigative management system have been directed to take\n       immediate action to remove the default \xe2\x80\x9cX1\xe2\x80\x9d markings from the system and comply with current\n       guidance in the implementing directive.\n  14\n       14 CFR Part 1203.500(d) \xe2\x80\x93 Information Security Program and NPR 1600.2, Chapter 2.3.2 require\n       individuals who apply derivative classification markings receive training, at least once every 2 years, in\n       the proper application of the derivative classification principles of Executive Order No. 13526, but unlike\n       32 CFR Part 2001.70(d)(4) do not require training prior to derivatively classifying information.\n\n\nREPORT NO. IG-13-023                                                                                                 7\n\x0c                                                                                                          RESULTS\n\n\n\n    representative samples of the Agency\xe2\x80\x99s original and derivative classification actions. The\n    self-inspections should evaluate adherence to the principles and requirements of the\n    Federal regulations and the effectiveness of agency programs covering original\n    classification, derivative classification, declassification, safeguarding, security violations,\n    security education and training, and management oversight. The self-inspections must be\n    regular, ongoing, and occur at least annually.15\n\n    Further, NASA policy requires Center Directors, through their Chiefs of Security, to\n    conduct periodic reviews of NASA organizational units involved with original and\n    derivative classification work to ensure compliance with Federal regulations.16\n    Specifically, each Center Protective Services Office is required to conduct audits of select\n    Center organizations on a yearly basis to determine if they are complying with NASA\n    policy.\n\n    However, based on summary data provided by OPS, 6 of 12 NASA locations did not\n    report conducting any audits of select organizations during FY 2010 through 2012.17\n    Moreover, although OPS conducts functional reviews every 3 years to provide oversight\n    of the Centers\xe2\x80\x99 classification activities, we found that the 2012 review did not examine\n    important aspects of NASA\xe2\x80\x99s classification program, including whether classified\n    documents were properly marked or whether classifiers were properly trained.\n\nConclusion\n\n    Although NASA has sound policies in place to manage its classified material, improved\n    compliance with its policies regarding marking documents, training classification\n    officials, and performing self-inspections would better position the Agency to ensure that\n    classified national security information is managed in accordance with Executive Order\n    13526 requirements. This, in turn, would better ensure that NASA is acting in\n    accordance with Federal guidelines that seek greater openness and transparency in\n    agency classification and declassification programs.\n\n\n\n\n    15\n         32 CFR Part 2001.60(a)(b)(c)(d).\n    16\n         Center Chief of Security means the senior Center official responsible for management of the Center\xe2\x80\x99s\n         security program.\n    17\n         Kennedy Space Center, Glenn Research Center, Langley Research Center, Dryden Flight Research\n         Center, Johnson Space Center, and Marshall Space Flight Center provided reports of annual\n         audits. Conversely, Goddard Space Flight Center, Stennis Space Center, White Sands Test Facility,\n         NASA Headquarters, Jet Propulsion Laboratory and Ames Research Center did not provide any reports\n         of annual audits of select organizations.\n\n\n\n8                                                                                        REPORT NO. IG-13-023\n\x0cRESULTS\n\n\n\nRecommendations, Management\xe2\x80\x99s Response, and Evaluation of\n  Management\xe2\x80\x99s Response\n\n  In order to ensure that NASA complies with security classification requirements, we\n  recommended that the NASA Assistant Administrator for Protective Services take the\n  following actions:\n\n  Recommendation 1. Revise 14 CFR 1203 and NPR 1600.2 to require that persons who\n  apply derivative classification markings receive training in the proper application of the\n  derivative classification principles prior to classifying any information.\n\n      Management\xe2\x80\x99s Response. The Assistant Administrator concurred, agreeing to\n      revise 14 CFR 1203 and NPR 1600.2 to clarify that individuals who apply derivative\n      classification markings must receive the required training prior to classifying any\n      information.\n\n      Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s proposed actions are\n      responsive; therefore, the recommendation is resolved and will be closed upon\n      completion and verification of the corrective actions.\n\n  Recommendation 2. Coordinate with Center Chiefs of Protective Services to ensure that\n  persons who apply derivative classification markings receive training before classifying\n  any information and refresher training at least every 2 years thereafter.\n\n      Management\xe2\x80\x99s Response. The Assistant Administrator concurred, stating that OPS\n      will issue an interim policy letter to all Centers and revise NPR 1600.2 to clarify that\n      individuals must complete training prior to classifying any information as well as (at\n      a minimum) every 2 years thereafter.\n\n      Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s proposed actions are\n      responsive; therefore, the recommendation is resolved and will be closed upon\n      completion and verification of the corrective actions.\n\n  Recommendation 3. Ensure that the Agency self-inspection program includes regular\n  reviews of NASA\xe2\x80\x99s derivative classification actions sufficient to identify and mitigate\n  classification marking and training deficiencies.\n\n      Management\xe2\x80\x99s Response. The Assistant Administrator concurred, stating that OPS\n      will formalize criteria for annual Center self-inspections, provide self-inspection\n      sheets for tracking purposes, and measure the Centers\xe2\x80\x99 progress as part of the\n      Integrated Security Functional Reviews.\n\n      Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s proposed actions are\n      responsive; therefore, the recommendation is resolved and will be closed upon\n      completion and verification of the corrective actions.\n\n\n\nREPORT NO. IG-13-023                                                                             9\n\x0c\x0cAPPENDIXES\n\n\n\n\n                                                                                     APPENDIX A\n\n\nScope and Methodology\n\n  We performed this audit from July 2013 through September 2013 in accordance with\n  generally accepted government auditing standards. Those standards require that we plan\n  and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\n  basis for our findings and conclusions based on our audit objectives. We believe that the\n  evidence obtained provides a reasonable basis for our findings and conclusions based on\n  our audit objectives.\n\n  Public Law 111-258, \xe2\x80\x9cReducing Over-Classification Act\xe2\x80\x9d of 2010, requires Inspectors\n  General coordinate with each other and with the Oversight Office to ensure that\n  evaluations of principles, policies, and procedures for NASA Classified National Security\n  Information follow a consistent methodology, as appropriate, that allows for cross-agency\n  comparisons. Accordingly, we contacted the Oversight Office and requested copies of\n  Inspectors General reports it had received. Additionally, we reviewed the audit reports\n  issued by two Inspectors General.\n\n  At the request of the Council of the Inspectors General on Integrity and Efficiency\n  (CIGIE) Inspection and Evaluation Committee and with the approval of the CIGIE\n  Executive Council, the Department of Defense (DOD) OIG led a working group\n  consisting of other OIGs in developing detailed guidance for OIGs to use, where\n  appropriate, in evaluating their agencies processes for following Executive Order 13526,\n  \xe2\x80\x9cClassified National Security Information,\xe2\x80\x9d and its implementing directive, 32 CFR Part\n  2001, \xe2\x80\x9cClassified National Security Information.\xe2\x80\x9d18 In part, we used the DOD evaluation\n  guide to interview with the Assistant Administrator for Protective Services, one of four\n  NASA original classification authorities; interview two derivative classifiers; and\n  evaluate the extent that NPR 1600.2 adequately prescribes policy and procedures that, if\n  effectively followed, meet requirements of the Order and its implementing directive. We\n  also requested supporting documentation, to substantiate the completion of required\n  derivative classification training.\n\n  To identify the number of original and derivative classification decisions and\n  declassification actions made Agency-wide, we reviewed NASA\xe2\x80\x99s Standard Form 311\n  \xe2\x80\x9cAgency Security Classification Management Program Data,\xe2\x80\x9d that had been submitted to\n  the Oversight Office for FYs 2010, 2011, and 2012.\n\n  NASA had no original classifications during FYs 2010, 2011, and 2012. To identify the\n  propriety of classification markings, we reviewed 16 derivatively classified documents.\n\n  18\n       On behalf of CIGIE, DOD OIG issued A Standard User\xe2\x80\x99s Guide for Inspectors General Conducting\n       Evaluations Under Public Law 111-258, the \xe2\x80\x9cReducing Over-Classification Act,\xe2\x80\x9d on January 22, 2013.\n\n\n\nREPORT NO. IG-13-023                                                                                        11\n\x0c                                                                                          APPENDIX A\n\n\n\n     We reviewed the Agency-wide self-inspection reports submitted to the Oversight Office\n     for FYs 2011 and 2012. Also, we requested copies of NASA Headquarters Center\n     inspection reports for FYs 2010, 2011, and 2012 that had been submitted to NASA OPS.\n\n     Use of Computer-Processed Data. NASA Counterintelligence Program personnel\n     printed and provided hard copies of 12 documents that were maintained in their\n     electronic investigative database so that we could examine the propriety of the\n     documents\xe2\x80\x99 classification markings. We did not verify the hard copy documents to the\n     source documents, but considered the documents that we examined reliable for the\n     purposes of the review.\n\nReview of Internal Controls\n\n     We reviewed 14 CFR 1203 and NPR 1600.2 to determine if NASA\xe2\x80\x99s prescribed policy\n     and procedures are consistent with the requirements of the Order and the implementing\n     directive. We interviewed an original and two derivative classification authorities and\n     determined whether they had adequate knowledge and were following the NASA\n     Classified National Security Information requirements of NPR 1600.2, the Order, and the\n     implementing directive. We reviewed classified documents to determine if they were\n     properly marked and being appropriately declassified. Also, we determined if NASA\n     personnel that classified documents were completing required training. We found that\n     NASA needs to improve some internal controls as discussed in the body of this audit\n     report.\n\nPrior Coverage\n\n     During the last 5 years, the OIGs of the Department of State and the Broadcasting Board\n     of Governors and the Department of Health and Human Services have issued three\n     reports of particular relevance to the subject of this report. Unrestricted reports can be\n     accessed over the Internet at http://oig.state.gov/latest/ and http://oig.hhs.gov/oei/reports/.\n\n     United States Department of State and the Broadcasting Board of Governors OIG\n\n     \xe2\x80\x9cEvaluation of Department of State Implementation of Executive Order 13526, Classified\n     National Security Information\xe2\x80\x9d (AUD-SI-13-22, March 2013)\n\n     Department of Health and Human Services OIG\n\n     \xe2\x80\x9cHHS Adopted, Administered, and Generally Followed Classified Information Policies\xe2\x80\x9d\n     (OEI-07-12-00400, May 2013).\n\n     \xe2\x80\x9cOriginally and Derivatively Classified Documents Met Most Federal Requirements\xe2\x80\x9d\n     (OEI-07-12-00401, May 2013).\n\n\n\n\n12                                                                             REPORT NO. IG-13-023\n\x0cAPPENDIX B\n\n\n\n\n                       MANAGEMENT COMMENTS\n\n\n\n\nREPORT NO. IG-13-023                         13\n\x0c              APPENDIX B\n\n\n\n\n14   REPORT NO. IG-13-023\n\x0cAPPENDIX C\n\n\n\n\n                                                     REPORT DISTRIBUTION\n\nNational Aeronautics and Space Administration\n\n  Administrator\n  Associate Administrator\n  Chief of Staff\n  Assistant Administrator for Protective Services\n  NASA Advisory Council\xe2\x80\x99s Audit, Finance, and Analysis Committee\n\nNon-NASA Organizations and Individuals\n\n  Office of Management and Budget\n     Deputy Associate Director, Energy and Science Division\n         Branch Chief, Science and Space Programs Branch\n  Government Accountability Office\n     Director, Office of Acquisition and Sourcing Management\n  National Archives and Records Administration\n         Director, Information Security Oversight Office\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Member\n\n  Senate Committee on Appropriations\n     Subcommittee on Commerce, Justice, Science, and Related Agencies\n  Senate Committee on Commerce, Science, and Transportation\n     Subcommittee on Science and Space\n  Senate Committee on Homeland Security and Governmental Affairs\n  Senate Select Committee on Intelligence\n  House Committee on Appropriations\n     Subcommittee on Commerce, Justice, Science, and Related Agencies\n  House Committee on Homeland Security\n  House Committee on Oversight and Government Reform\n     Subcommittee on Government Operations\n  House Committee on Science, Space, and Technology\n     Subcommittee on Oversight\n  House Permanent Select Committee on Intelligence\n     Subcommittee on Space\n\n\n\n\nREPORT NO. IG-13-023                                                       15\n\x0c\x0cMajor Contributors to the Report:\n   Ridge Bowman, Director, Space Operations Directorate\n   Kenneth Sidney, Project Manager\n   Ellis Lee, Lead Auditor\n   Gene Bauer, Auditor\n   Cedric Campbell, Associate Counsel to the Inspector General\n\n\n\n\nREPORT NO. IG-13-023                                             17\n\x0c                                                                                 SEPTEMBER 26, 2013\n                                                                        REPORT No. IG-13-023\n\n\n\n\n                                                                                  OFFICE OF AUDITS\n\n                                                                 OFFICE OF INSPECTOR GENERAL\n\n\n\n\nADDITIONAL COPIES\nVisit http://oig.nasa.gov/audits/reports/FY13/ to obtain additional copies of this report, or contact the\nAssistant Inspector General for Audits at 202-358-1232.\n\nCOMMENTS ON THIS REPORT\nIn order to help us improve the quality of our products, if you wish to comment on the quality or\nusefulness of this report, please send your comments to Mr. Laurence Hawkins, Audit Operations and\nQuality Assurance Director, at Laurence.B.Hawkins@nasa.gov or call 202-358-1543.\n\nSUGGESTIONS FOR FUTURE AUDITS\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for Audits.\nIdeas and requests can also be mailed to:\n      Assistant Inspector General for Audits\n      NASA Headquarters\n      Washington, DC 20546-0001\n\nNASA HOTLINE\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or\n800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant\nPlaza Station, Washington, DC 20026, or use http://oig.nasa.gov/hotline.html#form. The identity of\neach writer and caller can be kept confidential, upon request, to the extent permitted by law.\n\x0c'